Week in Review: China hacks Treasury, Chrome extension hijack, tanker sabotages cables - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines: Week in Review – January 3, 2025

Host: Rich Stroffolino
Guest: Quincy Castro, CISO at Redis (Third Appearance)
Sponsor: ThreatLocker

1. Beijing-Linked Hackers Penetrate U.S. Treasury Systems

The episode kicks off with a significant security breach where Beijing-linked state-sponsored hackers infiltrated the U.S. Treasury Department’s systems. According to a letter from the Treasury to congressional lawmakers, the Office of Foreign Asset Control (OFAC) experienced a “major incident” on December 8th. The breach involved unauthorized access to employee workstations and classified documents through a compromised security key.

Key Details:

Nature of Breach: Remote access to workstations and classified documents.
Impacted Areas: OFAC, responsible for implementing U.S. financial sanctions.
Current Status: The compromised service has been taken offline with no evidence of continued access.

Notable Quotes:

Rich Stroffolino [00:00]: "Beijing linked hackers penetrated U.S. treasury systems."
Quincy Castro [03:16]: "This is bad. And you can imagine why someone would want to be in here, the kind of data that OFAC has on its systems to allow them to go implement financial sanctions against these entities."

Discussion Highlights: Quincy emphasizes the seriousness of the breach, highlighting OFAC's role in U.S. financial sanctions and the valuable data it holds. He notes the timing around the change in U.S. administration, suggesting increased opportunities for covert actions by adversaries like China. Quincy also cautions against complacency, referencing recent incidents like the Salt Typhoon breach, to underline the sophistication and persistence of state-sponsored threats.

2. Chrome Extensions Hijacked for Data Theft

A major breach at Cyberhaven was disclosed, involving the compromise of at least five Chrome extensions through a successful phishing attack on an administrator account for the Google Chrome Store. This breach affected approximately 2.6 million users across 35 extensions, enabling threat actors to steal Facebook credentials and bypass various security measures.

Key Details:

Date of Breach: December 24th
Impact: Over 2.6 million users affected
Method: Injection of information stealer code via compromised extensions

Notable Quotes:

Quincy Castro [07:09]: "This is a great opportunity for security teams, particularly at tech and software firms, to think about how they'd respond to this kind of incident."
Rich Stroffolino [09:35]: "Threat actors identifying those as real opportunities to, you know, prey on lack of communication, lack of standardization, that kind of stuff is, is really, this is like the most."

Discussion Highlights: Quincy commends Cyberhaven for their transparency in addressing the breach, contrasting it with the often secretive nature of such incidents. He discusses the evolving tactics of adversaries to evade traditional endpoint defenses, framing the attack as a “B2C supply chain attack.” Quincy urges organizations, especially those in tech, to conduct thorough tabletop exercises to prepare for similar incidents. Rich adds that the increasing number of third-party data breaches highlights vulnerabilities in fundamental business relationships and the need for enhanced communication and standardization.

3. Russian Tankers Suspected of Undersea Data Cable Sabotage

Authorities in Finland have seized the Russian oil tanker Eagle S, suspected of deliberately damaging multiple undersea cables in the Baltic Sea by dragging its anchor. The sabotage allegedly severed several data and power cables, disrupting telecommunications and power supply.

Key Details:

Ship: Eagle S, an oil tanker
Incident Date: December 25th
Method: Deliberate dragging of anchor across multiple undersea cables
Additional Info: The ship was reportedly equipped with spying equipment to monitor NATO communications.

Notable Quotes:

Quincy Castro [11:28]: "Our digital economy, our, you know, sort of technical infrastructure that society increasingly depends on is to a great extent still dependent on global norms and goodwill and good behavior."
Rich Stroffolino [14:03]: "It's like you only have to be successful once. I mean it's like the cost of this attack is, is weighing anchor essentially, you know, and to have that kind of outside effect."

Discussion Highlights: Quincy likens the incident to a less sophisticated approach than what might be depicted in thriller novels, emphasizing how simple actions like anchor dragging can have profound impacts on critical infrastructure. He points out the inherent vulnerabilities in undersea cabling and the broader implications for global infrastructure security. Quincy stresses that addressing such threats requires international policy and cooperation, moving beyond technical fixes to tackle issues of global competition and geopolitical tensions. Rich echoes the need for resilience but underscores that technical solutions alone are insufficient without broader strategic responses.

4. Volkswagen Software Company Cariad Suffers Amazon Cloud Breach

Cariad, Volkswagen’s software division, experienced a significant breach when sensitive data for 800,000 electric vehicles was exposed due to a misconfigured Amazon cloud storage system. The leaked data included GPS coordinates, battery charge levels, and other vehicle status details, which could potentially be linked to owners through additional accessible data.

Key Details:

Company: Cariad, Volkswagen Group
Breach Discovery: By Europe’s largest ethical hacker association
Data Exposed: Vehicle GPS, battery levels, status details
Potential Risk: Linking data to individual vehicle owners

Notable Quotes:

Quincy Castro [16:43]: "There’s something fundamentally wrong with the corporate culture involved here."
Rich Stroffolino [19:26]: "The carry out or the VW Group incident response plan doesn't have like someone with emotional empathy, like maybe reviewing what they put out there."

Discussion Highlights: Quincy criticizes Volkswagen’s response to the breach, highlighting a problematic corporate culture that shifts blame onto customers instead of addressing internal security flaws. He argues that victim blaming is unacceptable and points to the necessity of a robust risk management process. Quincy emphasizes that reliance on long-term assets like cars makes it difficult for consumers to switch vendors, thereby increasing the responsibility of companies to maintain stringent security measures. Rich adds that Volkswagen’s lack of empathy in their response underscores deeper issues within their incident response strategy, pointing to the need for more thoughtful and responsible communication during breaches.

5. Large-Scale Supply Chain Attack Using Generative AI

Researcher Crystal Morin forecasts that by 2025, supply chain attacks leveraging generative AI, particularly through LLM-generated spear phishing, will become highly successful. Cybercriminals can exploit existing large language models (LLMs) by stealing credentials and jailbreaking them to create sophisticated social engineering campaigns.

Key Details:

Researcher: Crystal Morin, former intelligence analyst and cybersecurity strategist
Prediction: Highly successful supply chain attacks using generative AI by 2025
Focus: Sophisticated spear phishing and social engineering

Notable Quotes:

Quincy Castro [22:03]: "It's all about like credentials getting captured for, you know, LLMs by the users."
Rich Stroffolino [23:49]: "CISOs, hug your CDO or whatever, VP is in charge of data."

Discussion Highlights: Quincy stresses the importance of CISOs collaborating closely with data teams to mitigate risks associated with credential theft and misuse of AI tools. He highlights the challenges posed by decentralized development environments and the lack of oversight in teams experimenting with new technologies. Quincy advocates for proactive engagement from security professionals to understand and secure AI-related workflows, preventing widespread credential compromise. Rich adds a light-hearted yet earnest reminder for CISOs to strengthen their relationships with data leaders, emphasizing the critical nature of this collaboration in defending against evolving threats.

6. Iranian and Russian Entities Sanctioned for Election Interference

The U.S. Office of Foreign Asset Control (OFAC) imposed sanctions on Iran’s Cognitive Design Production Center and Moscow’s Center for Geopolitical Expertise. These entities were accused of attempting to influence the 2024 U.S. election by stoking socio-political tensions and spreading disinformation.

Key Details:

Entities Sanctioned: Iran’s Cognitive Design Production Center, Moscow’s Center for Geopolitical Expertise
Allegations: Election interference through socio-political manipulation
Purpose: Discouraging adversarial activities and deterring future interference

Notable Quotes:

Quincy Castro [25:22]: "This is sort of the least, you know, it's like the, like the least worst or kind of like the best way to do something that's really hard."
Rich Stroffolino [28:05]: "What is a sanction on an entity when the whole country is already sanctioned?"

Discussion Highlights: Quincy evaluates the effectiveness of financial sanctions, noting that while they can complicate life for targeted individuals, their overall impact varies depending on the entities’ reliance on the international banking system. He acknowledges the symbolic value of sanctions in deterring malicious activities and educating the public about foreign interference. Quincy also underscores the role of U.S. agencies in naming and sanctioning entities as a deterrent and awareness tool. Rich questions the practical impact of sanctions, especially when broad measures already affect an entire country, highlighting the debate around targeted versus comprehensive sanction strategies.

Additional Insights and Closing Remarks

Before concluding, the host and Quincy touch upon related topics and user interactions:

Corporate Culture and Security: Quincy emphasizes the need for a positive corporate culture that supports transparent and responsible security practices, avoiding the pitfalls of blaming victims.
Future Topics: Quincy expresses interest in exploring consumer appliance security issues, referencing ongoing concerns like air fryers allegedly spying on users.
Community Engagement: Rich acknowledges active participation from listeners and encourages ongoing interaction through live events and daily updates.

Final Notable Quotes:

Quincy Castro [18:51]: "I think this is an opportunity for security professionals to engage more deeply with data teams and understand their workflows to better secure AI-related operations."

Conclusion

This episode of Cyber Security Headlines provided an in-depth analysis of recent high-profile security incidents, including state-sponsored cyberattacks, cloud breaches, and emerging threats from generative AI. Quincy Castro offered expert insights into the complexities of modern cybersecurity challenges, emphasizing the importance of corporate culture, interdepartmental collaboration, and proactive security measures. The discussions underscored the evolving landscape of information security, highlighting the need for continuous adaptation and comprehensive strategies to safeguard critical infrastructure and sensitive data.

For more detailed insights and daily updates, visit CISOseries.com.

Loading summary

Transcript45 lines

[00:00]
Rich Stroffolino
From the CISO series, it's cybersecurity headlines. Beijing linked hackers penetrated U.S. treasury systems. Chrome extensions hijacked for data theft and Russian tankers suspected of undersea data cable sabotage. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're ready for some insight opinion and expertise from our returning guests. Making his third appearance, Quincy Castro, the CISO over at Redis. Quincy, thanks so much for being here and for being a three timer. Now we have a very special three gold stars for you. I don't know what general rank that Brigadier. You're a brigadier guest according to my lack of knowledge of all military ranking. So thank you so much. I have to ask though, it was the New Year week, how was your week in cybersecurity?
[00:54]
Quincy Castro
So far so good, but we never ever like to say that out loud here in the afternoon on a Friday.
[01:00]
Rich Stroffolino
So minimally terrible I think is the.
[01:02]
Quincy Castro
Yes, minimally terrible.
[01:05]
Rich Stroffolino
Well also before we jump into the news, I cannot wait to get into it. Quincy, always a pleasure to have you on. We have to thank our sponsor for Today, threat locker zero trust endpoint protection platform. Remember to join us on YouTube live. Do so go to cisoseries.com hit the events dropdown and look for the cybersecurity headlines Weekend Review image. If you've never joined us, you get a chance to give us your thoughts on the news of the week. React to what Quincy and myself are going to be talking about and throw out some questions if you have them. We always have a lively chat going. I already see Sean Kelly, CCL and the big boss man David Spark having a good old time in the chat. So get in there and have some fun. Just a quick disclaimer before we jump into the news that these opinions are those of our guests Quincy Castro, not necessarily those of Redis friends, family, affiliates or other loved ones. We've got about 20 minutes though, so let's jump into it. First up here, Beijing linked hackers penetrated the US treasury or treasury systems. Excuse me. According to a letter sent from the U.S. treasury to congressional lawmakers on Monday, a Chinese state sponsored APT was responsible for what is being called a major incident that compromised U.S. treasury Department workstations and classified documents at the Office of Foreign Asset Control. We may know it as OFAC. The department has been notified on December 8 by Beyond Trust that a foreign actor had obtained a security key to remotely gain access to employee workstations and the classified documents stored on them. The letter did not specify the number of impacted workstations or the kind of documents accessed. And the agency adds the compromise service has been taken offline. And at this time there is no evidence indicating the threat actor has continued to access treasury information. A longer read there, but important to give the context of where we are at. This is pretty big deal here. So Quincy, this, this story might have gotten drowned a little bit. You know, it's a holiday week, you know, everybody's maybe taken off here. But it also seems to be pretty important given the term major incident was used alongs with the standard plausible deniability phrase. There's no evidence that, you know, et cetera, et cetera. I'm curious, do you have any further insights into what we know so far on this?
[03:17]
Quincy Castro
Yeah, so I don't have any unique insight into this campaign specifically, but it does sound really serious. Right. And for those that don't know ofac, this is the office that's responsible for implementing US financial sanctions against the country's adversaries. Right. Arms traffickers, oligarchs and yes, like cyber operations and influence operations organizations. Right. I think we have a story about OFAC later on the show. So this is bad. And you can imagine why someone would want to be in here, the kind of data that OFAC has on its systems to allow them to go implement financial sanctions against these entities. So obviously a very like targeted, focused intrusion which with a very specific outcome in mind. Right. I mean, I think the larger picture here that's interesting is this is being made public right on the heels of the salt typhoon stuff. You had some major US telcos saying like, oh hey, we finally kicked these guys out of our network. I think, you know, with an adversary like this, everyone should just be very skeptical that, you know, they've fully cleaned the environment unless they are really, really, really confident in what is taking place. Right. And so it's, you know, I think what's interesting to think about here is the larger political context for this. Right. We have a new administration coming into office, United States, a lot of China hawks in that administration. Some of the things I see in my newsfeed say maybe there's more willingness to pursue covert action. And so, you know, now you've got these stories hitting the news where you've got, you know, state sponsored Chinese operators in pieces of critical infrastructure in key components of the U.S. government that are executing U.S. policy. And I mean, I think watch this space, right, because there's going to be pressure to do something about this and TBD on what do is going to be here.
[04:54]
Rich Stroffolino
I'm glad you mentioned the salt typhoon stuff because that's what stood out to me is, you know, anymore salt typhoon was so remarkable to me in that there was so much we don't know if they're out and then finally kind of coming clean which is probably true of more breaches than we realize. But like the fact that that was transparent and this they're coming out and saying, you know, pretty, pretty definitively like everything, you know, everyone's out. This has happened but it's, you know, it's now contained. That, that really did stand out to me. And yeah, kind of this, this, this interim period of the change of administrations also striking when we know it's you know, like there's just, it's a different news cycle, you know, there's everyone's on vacation. You know, the very classic time to do these types of things. Obviously it's the reporting on this, the, the assault was. Or you know, the, the hack was taking place earlier still. Yeah, I wonder if we'll even see even more stuff coming through. I know the inauguration is coming up, the switch over administration will be finalized at that point. But yeah, it definitely seems to be a spot of opportunity. Has been identified by a lot of these persistent actors and CCL points out in our chat here, you know, very targeted strike shows a lot of sophistication. I mean not surprising that you know, China or you know, name state actor is capable of this kind of sophistication. But yeah, this extremely targeted and to your point, very valuable information as well. All right, next up here, Chrome extensions hijacked for data theft. The cybersecurity company Cyberhaven announced that on December 24th it suffered a breach as a result of a successful phishing attack on an administrator account for the Google Chrome store. This resulted in at least 5 of its chrome extensions being compromised by threat actors who injected information stealer code. Subsequent investigations revealed the campaign impacted more than just Cyber Haven with at least 35 extensions collectively used by roughly 2.6 million people, which I checked and that's a lot. So Quincy, this is not just a Cyber Haven problem, but the outcome of this hijacking is the ability to steal user Facebook credentials and bypass multi factor authentications. Captcha mechanisms. A lot of the things that we say of hey, have these implemented and you should be, you know, these are the baselines of defenses. A lot to unpack here. What's your take on this?
[07:09]
Quincy Castro
Yeah, so firstly, I mean kudos to Cyber Haven for coming out and talking about this, I think to me this is the right way to approach these kind of scenarios rather than the circle the wagons that you see with a lot of companies. This is a great story for a couple of reasons. Right. First, I think it highlights how adversaries are getting creative to evade endpoint defenses and as kind of traditional tooling gets better and better. And hey, we're trying to protect the laptops that our employees work on. Well, okay, how do I get my tools onto that system and go get the stuff I want and be able to continue with my operations? And I was joking with someone like, this is almost like a B2C supply chain attack. You know, I love that. I think, you know, somebody, somebody was, was thinking here in terms of like, how to go get their job done. But you know, for CISOs. Right? And certainly, you know, this is something I've thought about. I think it's a great opportunity for security teams, particularly at tech and software firms, to think about how they'd respond to this kind of incident. Right. You know, if you are pushing apps to app stores or if you're releasing plugins or things that fit into other people's code like IDE extensions and stuff like that, do you really know where all of those things are hosted and how your users pull those down and who in the company is responsible for that stuff? And if you had to pull something out of an app Store, who can do that? Because the last thing you want to do is be in a hot incident where something like this is in the news cycle. And the one engineer in the company who has the signing keys and has the permission to pull stuff out of the app store is on vacation for two weeks and nobody can reach that person. So this is a great tabletop topic, I think, to run through if you're a tech company. And certainly this is one that made me think a little bit about like, okay, how would we go respond to something like this at redis? Do we know all the places that we would need to touch and things like that so well?
[08:55]
Rich Stroffolino
And I think as we've seen over this past year, year and a half of just this explosion of third party data breaches. I love that analogy of B2C kind of attacks here where, you know, it used to be, hey, you know, a lot of the concerns we have are, oh man, this is going to really open up something to attack the org chart. Right? And increasingly it's, no, no, we're attacking like these fundamental business relationships that we don't know the other side of Those also as well, we don't have full visibility into them. And threat actors identifying those as real opportunities to, you know, prey on lack of communication, lack of standardization, that kind of stuff is, is really, this is just like the most. One particular fascinating example of that.
[09:36]
Quincy Castro
Well, I think the other interesting piece of this, right is you look at what happened at like 23andMe and Snowflake with these like info stealer tools going after, you know, end users of the product and you know, discovering, hey, in bulk, if you go out and hit a ton of these companies customers, you can get a lot of credentials that you can use to pretty broad effect. And as you know, now security tooling gets better to go after info stealers. Well, how do you go get that job done? Well, maybe I can get into the browser somehow and do it that way. And so again, I think it shows the traditional model for thinking about intrusions, you know, and that kind of perimeter centric way of thinking isn't the only place that people need to think. Particularly if you're in a business where you're serving, you know, lots and lots of, you know, kind of end user consumers that may not have the greatest controls on their systems.
[10:21]
Rich Stroffolino
All right, well, speaking of interesting controls here, our next story here. Russian tankers suspected of undersea data cable sabotage. Authorities from Finland seized a Russian ship this week after it allegedly damaged several submarine cables in the Baltic Sea. The ship, the Eagle S, is an oil tanker that departed from a Russian port on December 25th. Merry Christmas. And is suspected of intentionally dragging its anchor for several miles, resulting in the complete severing of multiple cables including the S link, two power cable and four telecommunications cables. A report from the shipping journal Lloyds List describes the Eagle S as being loaded with spying equipment unusual for a merchant ship and used to monitor NATO naval and aircraft radio communications and to drop sensor type devices in the English Channel. So Quincy, all the makings of a thriller novel here, to be sure. Not the first time that we've heard of Russians severing cables or initiatives taken to that effect. Especially with its Baltic neighbors always a potential hotspot. Given the reliance we place on data and power cables, this certainly qualifies as an infrastructure threat. What's your take on attack by Anchorage?
[11:29]
Quincy Castro
Yeah, so if somebody had asked me to make a movie of this, right, you know, there'd be a scene of like someone with all this like robotic, you know, remote control stuff on and there'd be these like deep sea submersibles going in and precision doing this and then it turns out like, no, if you want to be successful at this, just throw the anchor overboard, just drag it across a bunch of stuff and just destroy it that way. Which is a little, you know, unimpressive, but certainly gets the desired effect. You know, like, I think about these things, you know, I always think about like, how would I explain something like this to my grandmother, right? And I don't think the average person understands how inherently vulnerable the underpinnings of our digital infrastructure are in a lot of places, right? You know, and you know, whether it's undersea cabling, whether it's like BGP peering and stuff like that, and your ability to sort of influence traffic flows by messing that up. Our, you know, our digital economy, our, you know, sort of technical infrastructure that society increasingly depends on is to a great extent still dependent on global norms and goodwill and good behavior. And so when we see things happen like this and you look at the geopolitical tensions that are getting ratcheted up, you can see, hey, there's a temptation to go out and break some of these norms and sort of push the boundaries on stuff. If I drag it, hey, ship anchors catch undersea cables all the time, right? This is a thing that cable operators are used to dealing with. Maybe I go out and just cut six or seven or eight of these things and just see what happens, right? And well, if nobody really does anything, maybe I do it again and maybe I do it again and it's kind of like dependence on low Earth orbit communication satellites. So same kind of like vulnerable infrastructure that's sitting out there and there are these norms around not messing with stuff in low Earth orbit because it can create a huge mess and mess up that space for everybody. But you know, desperate times push people to do things that are maybe not, you know, hadn't been previously acceptable. So, you know, look, I think at a technical sort of CISO level here, right, I'm sure there's a lot of people that saw this and they're like, well, you know, I have Dr. BCP plan, not a big deal, right? You know, and if you're using CDNs and points of presence and all of that stuff, like, you know, there's technical fix and we're and we're fine. And I do think in our community there's a lot of people that go to that technical fix and just say, like, oh, don't worry, I can take care of it. But you know, being at a medium sized tech company, right, like we don't have the luxury of huge data centers you know, that we own all over the world to help us do this stuff. And so, you know, I do look at this and I think this is, this is not a technical problem for CISOs to go fix. This is more and more like a, an issue of global competition. Right. And this requires thoughtful policy responses and kind of big brain international cooperation to go tackle. So. And yes. Yeah, I think accident in quotes to CCL's comment here is a great way of thinking about this sort of thing.
[14:04]
Rich Stroffolino
Yeah, yeah, the. And yeah, I mean we always talk about that, right. It's like you only have to be successful once. I mean it's like the cost of this attack is, is weighing anchor essentially, you know, and to have that kind of outside effect. So yeah, definitely, while you can plan to be resilient in the event of this happening. Yeah, the broader thing of we need some sort of international cooperation or policy that it's in everyone's best interest to maybe keep these lines open or we would hope to build a structure that would allow that. But yeah, that's a little bit outside of the typical CISO scope. So I appreciate that, Quincy, and that kind of perspective and yeah, definitely something we'll keep an eye on for sure. Thank you CCL for that context as well. Before I move on to our next story, we have to spend a few moments with our sponsor for today, Threat Locker do zero day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker. ThreatLocker helps you take a proactive default deny approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation are fully supported by their US based support team. To learn more about how ThreatLocker can help keep your organization running efficiently and protected from ransomware, visit threatlocker.com all right, next up here, Volkswagen software company Cariad suffers Amazon Cloud breach. The breach was discovered by Europe's largest ethical hacker association and it revealed that sensitive information for 800,000 electric vehicles from brands such as Audi, VW and Skoda on the VW Group were left exposed on a poorly secured and misconfigured Amazon cloud storage system. The data stolen includes GPS coordinates, battery charge levels and other vehicle status details. But experts warn that such data can easily be connected to owners through personal credentials thanks to additional data accessible through VW Group's online services. So Quincy, VW has downplayed this incident, saying that the exposed data affected only vehicles connected to the Internet has been registered for online services. So I guess they were asking for it and that that data could only be accessed after bypassing several security mechanisms that requ. Significant time and technical expertise. Last time I checked though, time and technical expertise are two assets that cybercrime organizations generally have in decent abundance. I'm curious, do you find that companies and attempt to draw attention from damage to their brand are turning a blind eye to the fact that, you know, we're all fundamentally connected and increasingly so, like, how are we to take this?
[16:44]
Quincy Castro
Yeah, I mean, I think this really stands in context to what we talked about earlier with transparency around, you know, intrusions. Like, I find this story really frustrating and I never want to victim blame in these scenarios, right. Because we don't have all the information, we're sort of seeing what's publicly out there, but what's out there is pretty frustrating, you know, and to turn around and say, oh well, the victims were limited to the people that just enabled the services we told them to turn on, to operate the thing we sold them feels pretty victim blaming itself. Right. So, you know, I look at this and to me the first thing that strikes me as a CISO is there's something fundamentally wrong with the corporate culture involved here. Right. When you look at the response, it's problematic for so many reasons. You know, they claim this is super hard to exploit. Clearly that's not the case. Right. Like this was, this was exploited and, and reported about extensively. Oh, it's the customer's fault for sharing the data with us, you know, but hey, we told them that they kind of have to do this to be able to use these services. And you know, well, we follow the law, but the law doesn't really know how to handle things like this yet. You know, and if it's prescriptive, it's prescriptive in a lot of cases, such a minimal level that, you know, it's never going to tell you, well, you have to protect S3 buckets in this way and things like that. Right. You know, and clearly if you've got police cars connected to this service, if you've got potential intelligence officers and politicians enrolled in this service, either people didn't know what they were agreeing to when they clicked that box or whatever, or it wasn't clear what data were being collected. And so, you know, look, I think ultimately this is an incentive problem that you particularly see with, you know, security of industrial systems. Right. And so more and more services are needed to optimize and operate long lived assets, whether that's trains or locomotives or gas turbines, wind turbines, that kind of stuff. And so in that context, right, like if you don't like the security posture of the vendor or something like this happens, it's really hard to walk away from that service because you own that thing and you expected it to last 10, 20, 30 years in the field. Right. If you're a consumer, you can't just go out and buy a different car, like buy a different H vac system or buy a different air. Maybe you can buy a different air.
[18:42]
Rich Stroffolino
Fryer, you know, but it's harder to rip and replace. Like a car that you've made a financial commitment to. Yeah, long term financing for that kind of stuff. Yeah, for sure.
[18:51]
Quincy Castro
Yeah. And so look, I mean people that know me know that I've been pretty skeptical around the idea that like the EU is going to be the world's like, you know, rulemaker and rule enforcer and that kind of thing. But I do think in this case, like you see the EU bringing, you know, this new software liability regime into force next, what, 2026, I think, where they're going to hold people liable for vulnerabilities that cause damages to consumers. Right. And to me, I look at this and I think, well, how do you get a company like CARIAD to listen up? It's probably that kind of thing, changing the incentive structure. So they do take this stuff seriously and they don't fall back on blaming the people that enrolled in their services for the loss of their information.
[19:26]
Rich Stroffolino
Yeah. If anything this, this shows me that the, either the carry out or the VW Group incident response plan doesn't like have like, like someone with emotional empathy, like maybe reviewing what they put out there. Which is, which is not to say like, like on the one hand I do sympathize. Like, okay, maybe in the percentage wise this is not a great number of people or like there is factual truth that doesn't also speak to human experience, which can be extraordinarily frustrating.
[19:53]
Quincy Castro
Right, right. And the one, I mean, the one thing that really stood out to me is when you read the article here, it says that a whistleblower approached the Chaos Computer Club with this information, which tells me that someone was so frustrated. I mean, look, obviously people have their own agendas. You know, whistleblower isn't always a whistleblower. But you know, let's take that at face value. Someone was so frustrated with the corporate culture there and presumably their inability to escalate this through some risk management process that they just went to an outside hacker group and were like hey, look at this.
[20:20]
Rich Stroffolino
You know, this will be more effective. Yeah. Than anything internal. Yeah.
[20:23]
Quincy Castro
Right. And so, you know, again, I come back to corporate culture and corporate leadership around effective security practices and giving people an opportunity to raise their hand and say, look, I don't think this is a good idea. We shouldn't be doing stuff this way. And imagine what a different story this would be if this had been exposed and the company came out and said, yes, that's true. You know, it was for these reasons, you know, and maybe they point to a risk management process and say, yeah, this was a known risk, but we needed to take this product to market. And so we thought that this was acceptable because it was obscured in this way. Right. Or, hey, we didn't know about this and, you know, like, thank you for letting us know and here's what we're going to do to make sure this doesn't happen in the future instead of pointing the finger at the customers and saying, well, it's your fault for doing what we told you to do, you know.
[21:07]
Rich Stroffolino
All right, well, our next story here. Large scale supply chain attack using generative AI now possible, says researcher Crystal Morin, former intelligence analyst at the US Air Force and cybersecurity strategist at sysdig, says she anticipates seeing highly successful supply chain attacks in 2025 that originated with an LLM generated spearfish. This is because cybercrime groups know they don't need to train their own LLMs. They can just steal credentials and then jailbreak existing ones, which we know is pretty readily possible. She says that this is not pointing to a fully AI generated attack leading to business operation shutdown, but instead the focus will be on more sophisticated social engineering campaigns. She calls spear phishing and social engineering her greatest security concern in 2025. So, Quincy, we asked this question very often on this show. What can be done to better protect organizations from social engineering increasingly at kind of unknown scale that we haven't seen before.
[22:03]
Quincy Castro
Yeah. So I think 2025 should be the year that CISOs really make best friends with the head of their data teams and figure out what's going on over there. Right. Because when I look at the article here and look at what they're talking about, right. You know, it's all about like credentials getting captured for, you know, LLMs by the users. Who are the users? Well, in a lot of cases, they're, you know, people that are hacking together POCs, they're data teams that are trying new stuff out. Right. You know, they're people that are operating outside. In a lot of cases, the normal kind of lines of business within a company. And I've talked to so many CISOs who say, yeah, over here with my, like, regular production apps and all of this kind of stuff, I am really confident. But over here with like the AI team that's piloting, you know, some new chat bot, or the data team that's trying to do like analytics on all this stuff that's sitting in our day, like, like, no idea. They've got their own tools, they do a ton of development locally. They're, you know, in all of these services. And honestly, like, if you figure this is a hard skill set to go higher for just as a line of business, does anyone on the security team really understand what is going on over there, what these tools do, where these data are coming from? In a lot of cases, if you go to even security savvy IT teams and they're like, hey, what did you give the data team access to? It's like, I don't know, they asked for some API keys and then off to the races. I think this is a place particularly as we see this explosion of work, you know, racing towards AI adoption, where security professionals really need to get in this space, get in people's business a little bit, understand what's going on, not to disrupt it. You know, in my own opinion, not to say no to stuff, but to figure out, like, how do we put our arms around this a little bit and just help people move fast and get stuff done in a way that is secure. Right. And stop. You know what, what's described here, which is just wide scale stealing of people's access credentials for very expensive services.
[23:50]
Rich Stroffolino
Yes. CISOs, hug your CDO or whatever, VP is in charge of data.
[23:57]
Quincy Castro
I mean, I don't know what your relationship is over there.
[23:59]
Rich Stroffolino
This is true. This is true. Fist bump, Elbow Air five. Yeah. Whatever it takes. Yeah. If you haven't started that conversation. Yeah. 2025 is the. Let's make that your 2025 New Year's resolution. CISOs everywhere, please, please. All right, and our last story for today. Iranian and Russian entities sanctioned for election interference. On Tuesday, the U.S. office of Foreign Asset Control. It's an OFEC sandwich here to finish it up. The very same office that was the target of the Chinese hack that we covered at the start of the show leveled sanctions against Iran's Cognitive Design Production center, or cdpc Quality Name folks. And Moscow's center for Geopolitical Expertise, alleging these entities attempted to stoke sociopolitical tensions and influence the U.S. electorate during the 2024 U.S. election? I don't know if you're the Cognitive Design production center, I don't know what else I guess you're trying to do, but sanctions are sanctions. So Quincy, there's almost every show where there's a story I have to look over my metaphorical glasses in a school mommy style. I brought physical glasses. Actually today in this case, I'm also going to add. Wait, what? Even if the Chinese hack is unrelated, I'm curious, do you feel these sanctions do anything other than gain some positive headline space, not take away from efforts of, of CISA and others that try to establish protections, but do sanctions of this type actually achieve anything beyond a slap on the wrist?
[25:22]
Quincy Castro
You know, it really depends. And certainly if at the beginning of the show and you're still with us, you were like, what's ofac? This is why people want to break in there. So much depends on the nature of the sanctions and what they're trying to achieve. Right. I think for some people, look, if you're hanging out in your country and you have no ambition to travel anywhere and you don't have any money sitting overseas, this probably is, you know, not a problem for you, right? But if you're, you know, 20, 30 something year old tech professional and you happen to work for your nation's government and you're engaged in this kind of stuff, or maybe you're, you know, a private citizen and your firm has been hired to work in these kind of things. And hey, you go to FIFA stuff, you go to Paris, you go to Ibiza at a party, like it's not great being on these lists, right? And it's, life starts to become harder and harder if you like to travel to, you know, Western European and US allied countries. So I think it potentially is problematic, I think it's potentially problematic if you need to use the international banking system and the, you know, at least today like the arm of the U.S. treasury and its ability to influence people's like, ability to have a bank account and spend money, like it's pretty long. So yeah, I kind of look at this as like, this is sort of the least, you know, it's like the, like the least worst or kind of like the best way to do something that's really hard. And I think, you know, there's, you could have a whole show dedicated to like, you know, with people way smarter than me talking about the effectiveness of financial sanctions and how do you create incentives to get people to stop doing the things that they're doing. And I mean, what we've seen out of like the FBI and other U.S. you know, government agencies in cases around like Chinese intellectual property theft was like, let's just put pictures of people on notices and call them out by their true names and things like that. And, you know, at least the people that work in those positions think there's a deterrent effect to just naming people and, you know, talking about who they are. So, yeah, I don't know. I think, I think, you know, it sort of remains to be seen what happens here, but there's also a domestic element to this too. And I think it's good for, you know, know, I'm an American citizen, I live in the US Like, I think it's good for people in this country to see these things exposed. You know, I think there's so much FUD about who are hackers, what are these things? Is any of this stuff real? And so to be able to say, like, here is a named organization. What does this named organization do? Well, it does these things through these channels to try to get people to line up with what the government of that country wants them to do. And so I do think getting this out there and helping to educate populations more broadly is helpful. Right?
[28:05]
Rich Stroffolino
So, yeah, definitely. And ccl. Yeah. To answer, you kind of answered your own question in the chat here, but saying what, what, what is a sanction on an entity when the whole country is already sanctioned? Yeah, it impacts people associated that might be traveling internationally and that kind of stuff. I don't know how much that impacts Iranian officials, but certainly in Russia that would have a very wide scope potentially for a lot of those people. And also, Quincy, I want to start a series that is not best practices but worst practices. I think that as that'll be my TED Talk for cybersecurity going forward. So thank you for that. Before we get out of here though, Quincy, was there any story that was a thumbs up or an eye roller for you either in the rundown or just kind of in the news of the week?
[28:47]
Quincy Castro
I want to dig more into the air fryer thing. I think that's fascinating that that wasn't the story we had today, but it's something that's been in my news feeds and you know, whenever people say consumer appliances are spying on people, like, all right, cool. Like, let's tear them apart and find that out. So more to come on that one.
[29:02]
Rich Stroffolino
Well, we also had the Siri lawsuit settlement, you know, of Siri, you know, listening to you and being recorded and Stuff like that. So, hey, it turns out all of things that we thought were paranoid fantasies, maybe, maybe less so.
[29:15]
Quincy Castro
The part you never see in, you know, these kind of black mirror things is like when people choose to do it to themselves. Right. I think that's the part that my younger self wouldn't have anticipated about the.
[29:23]
Rich Stroffolino
World we live in and that it potentially is like the most boringest reason.
[29:30]
Quincy Castro
Why did you give all the data? Well, I wanted Tater Tots made the way I like them. So, you know, like, sure, yeah. Here's my location and all of my personal information and stuff.
[29:38]
Rich Stroffolino
2% more crispy, you know, for all my PII. I mean, you can't, you can't beat that. So, yeah, so definitely, I mean, yeah, that'll definitely be. I don't think anything that's going to have the brakes put on any time soon. Well, well, Quincy Castro Ciso over at Redis. This was your third time on. We will definitely have to have you on for a fourth gold star level appearance. Thank you so much. This was phenomenal. Where can people find you online if they're so inclined to, to keep tabs?
[30:04]
Quincy Castro
I'm on LinkedIn at Quincy Hyphen Castro and yep, there we go.
[30:10]
Rich Stroffolino
Yeah, you'll have a link to that in our show notes.
[30:13]
Quincy Castro
Cool. And yes, we are hiring right now. Should have a new role posted Monday. I think so. Yes.
[30:20]
Rich Stroffolino
Excellent.
[30:21]
Quincy Castro
Feel free to reach out and do.
[30:23]
Rich Stroffolino
You want to share your brand of air fryer in case people want to keep track of you that way?
[30:26]
Quincy Castro
So I don't have one is the thing. And so now we've got to hold, do the whole TPRM review of the air fryer vendors and stuff like that and probably six months out here we'll get to a decision.
[30:36]
Rich Stroffolino
All right, well, thanks also to our sponsor for today, Threat Locker Zero Trust Endpoint Protection Platform. Thanks again, Quincy. This was just phenomenal. Always a joy to have you on and we will have to have you on later this year because this was a blast.
[30:51]
Quincy Castro
Awesome. Thank you so much for having me.
[30:52]
Rich Stroffolino
Thanks also to our audience for today. We can't get every comment up on the screen or address it during the show, but we really do appreciate you being here. Ccl, of course, one of our regulars, always bringing a strong chat, but also Tim Christman, we had Sean Kelly in there and the big boss man, David Spark himself dropping some MFA thoughts which always appreciate that. Just a reminder, there'll be no Super Cyber Friday next week, but we will have another episode of the week in review show starting at 3:30pm Eastern. To register for that, just head on over to our events page@cisoseries.com if you join us live. Remember, you can join in our chat and we'd love to have you here. In the meantime, you can still get your daily news fix every single day through cybersecurity headlines. And give us about six minutes. We'll get you all caught up. Until the next time we meet, I'm Rich Stroffolino reminding you to have a super sparkly day.
[31:44]
Quincy Castro
Cybersecurity headlines are available every weekday.
[31:47]
Rich Stroffolino
Head to cisoseries.com for the full stories behind the headlines.